Remotely triggerable crash

Ethan Blanton elb at
Thu Sep 26 12:43:55 EDT 2013

Pho spake unto us the following wisdom:
> I've been playing with the XEP-0203 (Delayed Delivery), and i've found that
> the stanza:
> <message type="chat" to="pho at" id="ab30a">
> <body>die pidgin die</body>
> <delay xmlns='urn:xmpp:delay' stamp='2038-09-10T23:05:37Z'/>
> </message>
> Remotely crashes (at least) pidgin 2.10.6 and 2.10.7 for Windows.
> It just happens when the year is >=2038, and works on MUC too

Thank you for the report!  This is probably related to wraparound of a
32-bit time_t (as that happens sometime in 2038).  We will look into

Because this is a remotely triggerable crash, we request that you keep
it secret until the Pidgin release in which it is fixed.  We have a
number of outstanding less serious bugs to fix, so there will probably
be a release relatively soon.  We will request a CVE for this
vulnerability, set a release date for the corrected source, and
coordinate with the various vendors and distributions that ship Pidgin
and libpurple to release more or less simultaneously.

In order to make sure that you get the appropriate recognition for
discovery of this vulnerability, please let us know how you would like
to be credited.  The usual credit is full name and email address, but
this is entirely up to you.

We will make sure that you are notified of the embargo date and CVE
information for this vulnerability in advance of the release that
corrects it.

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 482 bytes
Desc: Digital signature
URL: <>

More information about the security mailing list